Candidate: CVE-2020-15168
PublicDate: 2020-09-10 19:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15168
 https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r
 https://www.npmjs.com/package/node-fetch
Description:
 node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size
 option after following a redirect, which means that when a content size was
 over the limit, a FetchError would never get thrown and the process would
 end without failure. For most people, this fix will have a little or no
 impact. However, if you are relying on node-fetch to gate files above a
 size, the impact could be significant, for example: If you don't
 double-check the size of the data after fetch() has completed, your JS
 thread could get tied up doing work on a large file (DoS) and/or cost you
 money in computing.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L [5.3 MEDIUM]


Patches_node-fetch:
upstream_node-fetch: needs-triage
precise/esm_node-fetch: DNE
trusty_node-fetch: ignored (out of standard support)
trusty/esm_node-fetch: DNE
xenial_node-fetch: DNE
bionic_node-fetch: needs-triage
focal_node-fetch: needs-triage
groovy_node-fetch: ignored (reached end-of-life)
hirsute_node-fetch: not-affected (2.6.1-3)
impish_node-fetch: not-affected (2.6.1-3)
jammy_node-fetch: not-affected (2.6.1-3)
devel_node-fetch: not-affected (2.6.1-3)